Ask Your Question
0

Could tshark capture the de-encrypted packet when receiving ESP?

asked 2024-04-09 00:23:53 +0000

mzhan017 gravatar image

We encounter one problem: When using tshark to capture the packets on one interface(virtio_net). The tshark could capture one ESP packet, and also one packet without ESP header, that has been de-encrypted by kernel to plain packet.

How the tshark captured the second de-encrypted packet?

Thanks, Mark

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-04-09 01:22:46 +0000

mzhan017 gravatar image

updated 2024-04-09 07:23:12 +0000

grahamb gravatar image

Seems expected for tunnel mode, from code of kernel. xfrm_input

....
    if (x->outer_mode->flags & XFRM_MODE_FLAG_TUNNEL) {
        decaps = 1;
        break;
    }
....
    if (decaps) {
        if (skb->sp)
            skb->sp->olen = 0;
        skb_dst_drop(skb);
        gro_cells_receive(&gro_cells, skb);
        return 0;
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-04-09 00:23:53 +0000

Seen: 119 times

Last updated: Apr 09